Matt forwarded me this sweet story today about dumping databases when faced with an unsuitable user interface.

The authors call it “Finding a lost dog’s owner with Perl and WWW::Mechanize” because that’s the meat of their story.

It starts with a lost dog and a programmer. The programmer finds an online database of dog registrations. Unfortunately the programmer isn’t sure how to find the license number, which is needed to look up the dog owner. So he proceeds to write a perl script to automate queries and dump the entire database.

I ran wireshark captures of both a manual post in Chrome and my test script. Comparison of the captures revealed that the submit button name/value was not being sent by my script. Looking at the WWW::Mechanize docs, I found the button parameter to the submit_form() method for simulating a submit button click. It worked. I finished the script, looping over all 24996 records and soon I was pulling down all the Warren County dog registration records for 2011.

Now that he has all the information on his local system, he searches for the parameters that are more obvious to him.

After that, it was some simple calls to grep to filter the results:

cat warren_county_dogs.txt | \
grep -i springboro | \
grep -i lab | \
grep -i brown | \
grep -i female \
> brown_labs.txt

This narrowed down the 25,000 records to 39. That made it easily to visually scan the list and find the addresses that were closest to where the dog was found. That narrowed it down to three. Adam Googled the phone numbers, found that one was a cell, and texted it.

The programmer could have built a way to narrow down a license number query using the existing interface. Or he could have built an interface to query the site on his filter parameters (e.g. color, sex). Both would have left the data on the server. Instead he pounded the database to dump all its information for 2011; lucky for him (and unlucky for 24,999 other dog owners) they did not notice or block his automated queries. The only thing more questionable would have been if this story tried to justify a SQL injection to dump databases and rescue a lost dog.

This reminds me of a joke I heard many years ago. Two guys are angry that they can’t tell their horses apart. So one notches his horse’s tail. Then the other horse gets its tail caught in a fence and the notches are the same. So the other one clips his horses ear. Then the other horse gets into a patch of woods and clips its ear in the same spot. Finally the two men realize one horse might be slightly larger than the other. They measure and discover the white horse is a whole hand taller than the black horse.

If only the dog owner database had allowed a more useful query to begin with…

I watched in quiet as news started to emerge from Kenya in October that they had deployed forces into Somalia. Not a single American news source that I follow reported the start of a war. Instead I read Asian and African threads.

At first I thought the invasion was predictable, given the role the Americans have played lately in Ethiopia’s push eastward from the Ogaden. Why not push Kenya to do the same? This looked like a page straight out of the book of American proxy wars in Africa. The Economist eventually ran a report that said it better than anyone:

The Americans claim that the offensive took them by surprise. That is hard to believe, especially since several of the missiles fired at jihadist fighters hidden in the mangrove swamps on the Somali side of the border seem to have been fired from American drones or submarines.

The Economist tries to make a case that such an offensive will be a economic/market gamble. Their analysis makes little sense to me. I suspect a large offer was on the table from Kenyan allies (e.g. America, China, Norway) that more than offsets the marginal impact to trade/commerce in the region already weakened by conflict and drought.

Then I wondered if the offensive was more than just an effort to put more regional pressure on Somalia. Perhaps it is meant to push forward into a position from the Kenyan border that could offer easier/faster access for American-backed intel operations specifically targeting al Shabab.

Of course, regardless of American objectives, Kenya may be fighting for Kenyan interests (i.e. reduce the refugee flow, block terrorism, stabilize the border, extend coastal access). Daniel Branch suggests that the Kenyan offensive is mainly domestically motivated.

But this case for war is less than convincing, as it is difficult to argue that the threat from al Shabaab is substantially worse than it has been in years past. Kenyan troops have armed, trained, and organized proxy forces to fight al Shabaab on the border since at least 2009, albeit to no great effect. For at least three years, al Shabaab has threatened armed attacks on Kenya; cross-border raids by al Shabaab fighters have been a fact of life in northeastern Kenya for some time.

In fact, by some estimates, the overall threat from al Shabaab has declined in recent months: the UN’s envoy to Somalia said in August that Ugandan and Burundian peacekeepers had actually weakened the al Qaeda-affiliated militants. Nairobi’s incursion into Somalia was spurred less by the threat of al Shabaab and more by domestic military and political dynamics.

That could be the case if Kenya was the one judging the risk from al Shabab. But if America’s intelligence officers in Kenya are offering an opinion then Branch’s argument doesn’t hold as much weight. America wants to control the Somali theater; a threat to Kenya from al Shabab is not the only test.

More to the point, Kenya is showing signs of significant investment in physical and logical security. USAID has announced an interesting partnership to drive a cybersecurity and incident response plan for the country.

[Information and Communication PS, Bitange] Ndemo, who was speaking during the National CIRT (Computer Incident Response Team) Capacity Building Workshop, said the Master Plan in conjunction with the USAID seeks to establish a Public Key Infrastructure (PKI) framework.

“We should finish in the next three months before we begin implementation of the PKI which creates virtual identities, which creates more trust in the internet, more than we have right now,” he said.

The Master Plan will include the development of information security management controls and procedures, cybersecurity systems, and identity and access management systems.

The government has already undertaken initiatives to enhance its digital capacity including the launch of the Kenya Computer Incident Response Team (KE-CIRT) earlier this year and the soon to be finalized National Data Centre.

The Data Protection Bill meant to provide a framework for handling citizen personal information is also in the works.

“For the first time e-government has a division to take care of the issue of information security. We have also created a common gateway protection for government traffic, so firewalls have been installed at Herufi House and the government data center,” said Katherine Getao, ICT Secretary of the Directorate of E-Government.

This could be the kind of investment I mentioned above, an offer to offset the potential market impact of the conflict with Somalia. Kenya appears to be stabilizing commerce domestically as well as establishing a foundation for regional growth. The fact that their offensive also serves American foreign policy interests, and is subsidized by US aid, should prompt more analysis of what success is supposed to look like and for whom. It appears to be a monumental shift in policy from the prior American administration.